Thoughts on business ethics, corporate governance, risk management and compliance

Main menu

Post navigation

Enterprise Risk Management V/s Strategic Risk Management

Now this post is going to get me killed, all the ardent fans of Enterprise Risk Management (ERM) will take their knives out and I will have to duck under the table to save my skin. However, as I am a dedicated risk activist, I shall ignore that discretion is better part of valor and commit the folly of putting my thoughts in public domain. So here are some of my radical thoughts about ERM not addressing Strategic Risk Management (SRM). For the sake of convenience and familiarity, I am using COSO ERM framework for putting my opinion forward. Let us start with the definition of ERM

“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

As the definition contains “applied in strategy setting” and “reasonable assurance regarding achievement of entity objectives” it appears that COSO framework is addressing strategic risks. Now let us consider the definition of Strategic Risk Management as given by Risk and Insurance Management Society (RIMS) recently:

“Strategic Risk Management is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution.”

The SRM definition clearly states that it relates to strategy formation and implementation. Secondly, it is talking about the upside of risks and not the downside of risks.

1. Confusion about meaning of SRM

The prevailing perception is that ERM is equivalent to SRM or these are terms which can be used interchangeably. However, from the definitions itself it is evident that these are absolutely two different things.

Secondly, some state the ERM facilitates in viewing risks from a strategic perspective. Even if you read research papers, there is a lot of confusion on the term. For example, in the survey of RIMS “Excellence in Risk Management VII Elevating the Practice of Strategic Risk Management” the top risks mentioned are business disruption, regulatory compliance and property. These risks can help in forming a risk management strategy for an organization. These are not risks relating to formation or implementation of a business strategy hence cannot be equated to strategic risk management. An example of strategic risk is the Swiss Air case, where the company decided to adopt a strategy of becoming a global airline and failed. In a more recent example Tata group purchased Jaguar and Land Rover to build international dominance in automobile industry and the strategy hasn’t yielded much results.

A detailed analysis of ERM frameworks indicates that they are focused on addressing tactical and operational risks. The negative aspects of risks are discussed elaborately for risk mitigation purpose. The four risk mitigation guidelines are –treat, transfer, tolerate and terminate risks. The risk avoidance strategies are mentioned in detail. The focus is normally on operational, financial reporting and regulatory risks.

3. ERM frameworks do not give methodology for exploiting upside risks

The ERM frameworks mention upside of risks but they do not give a methodology, tools or an approach to exploit these risks.ERM is considered a holistic framework, which addresses all risks. In my view, it is now become hackneyed term where all possible risks are put without appreciating the finer differences in them.

Most of the ERM frameworks do not provide detailed guidance on risk managers’ involvement at strategy formation and implementation stage. The link between business strategy and ERM is weak. Aaron M. Konarsky in his research paper – ‘Linking risk management to business strategy, processes and operations’ stated that “four in ten companies do not have formal processes to align risk man­agement with corporate strategy”. Generally, risk management strategies are formed after business strategies are decided. The business strategy is taken as a base for risk management strategy. It indicates that frequently business strategies and risk strategies are not worked on concurrently. The risk management strategies do not explore risk as a business opportunity.

My observation is supported by the paper “Top Ten ‘Next’ Practices for Enterprise Risk Management- 2010 AICPA Survey Results” which specifies one of the bigger trends in risk management is to incorporate ERM into strategic planning process. Clearly, results are indicating that SRM is not being addressed properly.

4. Identifying Strategic Risks

For clarity purpose, conduct two mental tests to assess whether a risk comes under SRM:
1. Does the risk relate to business strategy of the organization? That is, either business strategy formation or implementation.
2. How does the information relating to the risk impact strategic decision-making of the organization?

Examples of strategic decisions are – deciding to outsource or offshore processes, acquiring an organization, developing a new product line, changing financial structuring etc. Taking the example of offshoring processes, when risk managers provide to the CEO and board information about offshoring risks, then they are doing strategic risk management.

Closing thoughts

The finer differences between ERM and SRM need to be recognized. Although the focus on ERM has increased after the financial crises, there is still a long road ahead. Major challenges said for ERM implementation is financial resources and management commitment. These two are interlinked, if management does not see demonstrated value, resources will not be allocated. Risk managers need to explore the idea of first focusing on SRM and then gradually moving to ERM. The logic behind this suggestion is that SRM is focusing on adding business value. With a good SRM initiative, management will see business value and it will become easier for risk managers to present a business case for full-fledged ERM.

A complex topic and definitely requires a few more blog posts for further discussion. In your opinion, are ERM and SRM same or different? How do you think these should be approached?

Post navigation

Sonia, the standards-setting entities always seem to be walking a tightrope of wanting to provide guidance and direction for risk management without adding limiting details. A perfectly fine approach to allow flexibility at this development stage in defining all forms of risk management, but as you imply from your knife comment some of the dialogue gets pretty heated as soon as definitive statements are introduced into definitions…and complaints when they aren’t introduced! COSO, ISO, RIMS et al are trying to be as inclusive as possible and I consider their strategic and enterprise modifiers to be meaningless until some of the details as you suggest are added.

Risk management is the metaphorical elephant described by the blind men from their own touch points. My view is risk management is a management discipline and is not owned by risk managers who generally define it by process first. Strategic risk management and enterprise risk management should be clearly defined as different terms. I’ll side with those who say SRM is a subset of ERM with SRM primarily involving just the board and the C-level while ERM extends from the board throughout the organization. The usual strategic versus tactical distinctions should be included.

Agree with you, risk managers I think have taken COSO ERM cube as a box and just dump everything there which they can’t figure out. We need much clearer guidelines and understanding of concpets to provide value add to business. Attempting to give a framework for overall acceptance doesn’t help as it doesn’t provide clairty on practical application. Business managers are justified in complianing that risk managers do not add business value.

Also, I think that before the financial crises not many risk managers were focused on strategic risk management. However, with various survey results stating that boards and CEOs are looking for advise on strategic risks, risk managers generally have started using the term without understanding it or assessing how they need to actually demonstrate value.

I was reading the IRM consultation paper on Risk Appetite. One of the few documents which I have found till date which define strategic, operational and tactical risks separately. And the best part is it defines multiple risk appetites for different risks. Although it is still a little bit general, but it does provide some useful practically implementable guidance.

Note For Readers

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, risk management advice, or other professional advice or services. Before making any decision or taking any action that may affect your business, you should consult a qualified risk manager. The author gives her permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at jaspal.sonia1@gmail.com